Skip to content

Convert WebAuthn options endpoints from GET to POST#147

Merged
santiagorodriguez96 merged 2 commits into
masterfrom
sr--post-options-endpoints
Jul 9, 2026
Merged

Convert WebAuthn options endpoints from GET to POST#147
santiagorodriguez96 merged 2 commits into
masterfrom
sr--post-options-endpoints

Conversation

@santiagorodriguez96

Copy link
Copy Markdown
Collaborator

Motivation

Fixes #145.

Details

The four WebAuthn options endpoints (passkey_registration_options, passkey_authentication_options, security_key_registration_options and security_key_authentication_options) now respond to POST instead of GET: their routes and controllers were changed from index to create (with forgery protection skipped), and the bundled JavaScript was updated to fetch the options with a POST request.

module Devise
class PasskeyAuthenticationOptionsController < DeviseController
def index
skip_forgery_protection

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this needed?

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to keep it simple in the JS side, as a forged options request can't do any harm: the session write only rotates the pending challenge.

@santiagorodriguez96
santiagorodriguez96 merged commit cbb000e into master Jul 9, 2026
31 checks passed
@santiagorodriguez96
santiagorodriguez96 deleted the sr--post-options-endpoints branch July 9, 2026 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Options endpoints should use POST instead of GET

2 participants